Setup Instructions for New Team Members

Accounts, Group Memberships, Certificates, Etc.

Computing account at FNAL*

• • to get this, follow the instructions at http://www.uscms.org/uscms_at_work/computing/getstarted/getaccount_fermilab.shtml
  • When using the FNAL service now mask should not select “Computing/IT professional access only”. Although this is technically correct, this will end up requesting a service provider account at FNAL, as if you would run SAM or jobsub.

Computing account at CERN*

• • to get this, follow the instructions here: https://twiki.cern.ch/twiki/bin/view/CMSPublic/WorkBookGetAccount
  • Remember that you must be in the 'zh' group (CMS Computing Group) in order to access some of the services.
  • If you will be Working at CERN, follow the steps to get registered at CERN here: http://www.uscms.org/uscms_at_work/working_cern/registration.shtml
  • remember to CC cms-comp-ops-workflow-team@cernNOSPAMPLEASE.ch telling that you need access if you are going to be part of the Workflow Team

CERN user certificate* installed on your web browser

• • to get this, go to https://ca.cern.ch/ca/ and click on "New User Certificate"

CMS VO Registration*

• • go to the CMS VOMRS server, and follow the instructions
  • Select all the necessary roles for your functions (Ask Jen Adelman-McCarthy or David Mason)
    • You need at least be in:
      • /cms/uscms
      • /cms/TEAM

CMS hypernews account* and subscribe to the hn-cms-comp-ops mailing list

• • to get this, go to https://hypernews.cern.ch/HyperNews/CMS/add-member.pl
  • to subscribe to the hn-cms-comp-ops mailing list, go to https://hypernews.cern.ch, log in to CMS HyperNews, and click on "Subscribe to Forums," and subscribe to the "Computing Operations", "Computing Project Announcements", "CERN Computing Announcements" hypernews
  • Site Support team members should subscribe to both hn-cms-comp-ops and hn-cms-t2

Elog account*

• • to get this, go to https://cmslogbook.cern.ch/elog/Workflow+processing/?cmd=New+user
  • Write an e-mail to cms-voc@cernNOSPAMPLEASE.ch describing shortly who why you want access to the "Workflow Processing" e-log.

TWiki registration*

• • go to https://twiki.cern.ch/twiki/bin/view/Main/WebHome and select Registration

Github account*

• • Go to https://github.com/ and create a new GH account if not already created and share it with your supervisor to be a contributor to the project.

Getting access to cmst1 account*

• • Send an email to Sharad and Alan providing your CERN AFS/Nice username with CC to cms-comp-ops-workflow-team@cern.ch. Since you need to:
    • be added to the AFS cmst1:users
    • be added to the cms-comp-ops-workflow-team egroup
    • be added to the cmst1.pp puppet manifest

Subscribe to E-groups*

• • to do this, go to https://e-groups.cern.ch/ and log in with your CERN username and password
  • search for and subscribe to these e-groups:
    • cms-comp-ops
    • cms-comp-ops-workflow-team

Become a member of the zh:lcg_writers afs group (for site support team members)

• • Search and apply for this e-group: cms-afs-lcg-writers, it synchronized to the afs group once per day
  • You need to be a member of this afs group in order to have permission to edit files which you will need work on them
  • You can check members of this group by using this command: pts membership zh:lcg_writers
  • Note, when you get the membership, do not forget to renew your afs token by using this command: kinit

Become a member of the cmsdataops account at FNAL

• • to do this, contact Jen Adelman-McCarthy requesting to be added to the cmsdataops account at fnal

Make sure you appear in SiteDB

• • to do this, go to https://cmsweb.cern.ch/sitedb/prod/people/ and search for your name
  • if not, contact the site support team
  • Request the following roles to the workflow team group: dbs:operator and reqmgr:admin and ProductionOperator:DataOps group.

GGUS account*

• • Go to https://ggus.eu
  • Load your certificate information.
  • Use Registration link on the left side panel and select Support access (So you can update tickets).

Proxy-ssh and SSH tunnels* to several machines at FNAL and CERN

• • In order to access the WMAgent instances and for some monitoring plots to show up, you will need to create ssh tunnels to several machines.
  • Follow the instructions HERE
  • If you would monitoring the agent machines, you should also be enroled in the cmst1 group. Ask who owns the cmst1 password to add you.

Proxy certificate*: installing your cert in remote machines and getting a proxy

• • A proxy certificate is needed for any operation that uses ssl (authentication X509). These operations are: move files within the grid, to assign jobs, and to access to cmsweb.
  • This needs to be re-done once your proxy expires (usually 1 or 2 days)
  • export your myCert.p12 from your browser to your home area [do cd ~ in shell to find out where is it]
  • once a year you will need to renew your proxy.

• • unpack it by doing the following:

    cd ~ # this moves to your home area 
    openssl pkcs12 -in myCert.p12 -out myPublicCert.pem -clcerts -nokeys # this creates: myPublicCert.pem 
    openssl pkcs12 -in myCert.p12 -out myPrivKey.pem -nocerts #this creates : myPrivKey.pem 
    [enter a new password to protect your private key] 

    • more info: http://en.wikipedia.org/wiki/Public-key_cryptography
  • now move these to your afs space:

    • from local machine do:
      ssh lxplus.cern.ch
      
      then in lxplus or cmspc do: 
      mkdir .globus [this is the standard place for voms certificates]
      
      
      from local machine do:
      cd ~
      scp ~/myPrivKey.pem lxplus7.cern.ch:.globus/userkey.pem
      scp ~/myPublicCert.pem lxplus7.cern.ch:.globus/usercert.pem

  1. now you need to change permissions on the files:

chmod 400 userkey.pem   # owner read only
chmod 600 usercert.pem   # owner R&W

• • you are now ready to get your proxy:
    • lxplus (new SL6 machines)

      voms-proxy-init -voms cms 

    • lxplus5 (old SL5 machines):

      source /afs/cern.ch/cms/LCG/LCG-2/UI/cms_ui_env.sh voms-proxy-init -voms cms 

    • cmspc:

      source /uscmst1/prod/grid/gLite_SL5.sh voms-proxy-init -voms cms 

• Access to the T&I Services: ACDC Console
  • ACDC Console is behind CERN firewall, so one needs to tunnel into CERN network to access. Please follow the following instructions to do so:
    • For Firefox;
      • Download the FoxyProxy extension: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
      • Configure it w/ the following settings:
        • Proxy Type: SOCKS5
        • Proxy IP address or DNS name: localhost
        • Port: 8090
      • Open up your terminal and run the following command:

        • ssh -ND 8090 haozturk@lxplus.cern.ch

      • Now, you should be able to access to the console: https://wfrecovery.cern.ch/